State and local governmental plans, which are excluded from ERISA, are subject to idiosyncratic legal requirements, including specific investment restrictions. These plans are also not immune to the political winds blowing in that state. Nowhere is this more apparent than recent developments out of the States of Texas and Maine with respect to fossil fuel divestment. Investment managers of any governmental plan, especially those that take environmental, social and governance (ESG) factors into account, should pay close attention to these developments. Private equity and other fund managers, for the reasons stated below, should also take note.
On June 14, 2021, Texas Governor Greg Abbott signed into law SB 13. This new law, which goes into effect on September 1, 2021, generally prohibits state governmental entities, including the Employees Retirement System of Texas and the Teacher Retirement System of Texas, from directly or indirectly holding the securities of a publicly-traded financial services, banking or investment company that “boycotts” companies that (i) explore, produce, utilize, transport, sell or manufacture fossil fuel-based energy and (ii) do not “commit or pledge to meet environmental standards beyond applicable federal and state law….” The concept of “boycott” is not limited to divestment; rather, it picks up activity that is designed to inflict economic harm on the energy company. The exercise of certain shareholder rights could possibly amount to a “boycott” of a company.
The law also generally prohibits governmental entities from contracting with a service provider unless the contract provides a written verification from the service provider that it does not boycott energy companies and will not boycott energy companies during the term of the contract. This applies to contracts entered into on or after September 1, 2021.
Fiduciaries of these Texas governmental plans remain subject to countervailing fiduciary duties under Texas law, including the Texas Constitution. The new law crucially allows for breathing space between these core fiduciary duties and the state’s interest in protecting significant portions of its economy.
The law provides that these governmental entities are not required to divest from any holdings in “actively or passively managed investment funds or private equity funds.” However, the governmental entities are required to submit letters to the managers of these funds requesting that they remove from the portfolio financial companies that the state comptroller has designated as boycotting energy companies. The Texas governmental entities will alternatively request that the managers “create a similar actively or passively managed fund with indirect holdings devoid of listed financial companies.” Investment managers should be on the lookout for these letters starting this coming Fall.
Meanwhile, in Maine, the House of Representatives recently passed a bill that calls for the divestment of fossil fuel companies by the Maine Public Employees Retirement System (Maine PERS) and other permanent state funds by 2026. As with Texas, the law is sensitive to the overriding fiduciary duties that apply to the management of these assets. An official for Maine PERS recently testified that, “[p]ermanently striking broad portions of the financial market is incompatible with earning optimal returns for member retirements, will not change corporate behavior, and may not advance the social goals sought because investments are rarely one dimensional.”
Governmental plans invested in separate accounts or commingled funds managed by an investment manager have always posed risks to that manager, as these plans are subject to their own fiduciary duties and investment restrictions. Though the state laws applicable to governmental plans may contain ERISA-like language, we caution investment managers from relying on ERISA or DOL guidance as a failsafe way to manage governmental plan assets. As evidenced from the disparate approaches the States of Texas and Maine have taken, investment managers should pay close attention to the specific rules applicable to these plans to avoid running afoul of state law. With the calls for fossil fuel divestment growing louder in some quarters, and as other ESG issues come to the fore, careful due diligence on the part of investment managers is essential.
Please contact George Michael Gerstein to discuss these matters or other due diligence issues related to governmental plans.
ERISA-covered plans have entered the digital world. As the amount of confidential information about plan participants that is stored in multiple information systems, and shared among plan service providers, increases, so, too, do the legal risks. The U.S. Department of Labor (DOL) has now made cybersecurity risk an enforcement priority; the courts have started to wrestle with whether participant data is a “plan asset.” Plan sponsors and service providers should brace themselves.
Just this past February, the U.S. Government Accountability Office (GAO) issued a report that highlighted the practice of, and risks related to, sharing personally identifiable information (e.g., a participant’s social security number, date of birth and username/password) (PII), and “plan asset data” (e.g., retirement account and bank account numbers) within the plan ecosystem. The plan sponsor’s own IT infrastructure may be vulnerable to attack or misuse. Where the plan sponsor outsources plan administrative responsibilities to a service provider, such as recordkeepers, third-party administrators and custodians, participant PII and plan asset data could be exploited if the service provider is hacked or lacks appropriate internal controls.
The report specifically noted that cybersecurity risk comes in many different flavors and from many different sources. The risk could, for example, be in the form of malware, ransomware, privilege abuse, data exfiltration and account takeover. The source of the risk could come from criminal syndicates, hackers and even an organization’s own employees.
Thus, the GAO report warned, “[t]he sharing and storing of this information can lead to significant cybersecurity risks for plan sponsors and their service providers, as well as plan participants.” Poor risk controls can lead to the leaking of usernames, passwords and social security numbers, which can lead to the unauthorized access of participant accounts, and, fatally, the illicit draining of a participant’s retirement savings. The misappropriation of participant PII or plan assets by virtue of a cybersecurity attack may not be expressly addressed in ERISA, but its effect on a participant may indeed result in “the great personal tragedy” Congress sought to prevent in enacting ERISA.1
The GAO ultimately made two recommendations: (1) the DOL should formally state whether cybersecurity for ERISA-covered retirement plans is a plan fiduciary responsibility under ERISA; and (2) the DOL should develop and issue guidance that identifies minimum expectations for mitigating cybersecurity risks to plans and the relevant service providers.
A mere two months later, the DOL issued a series of cybersecurity tips and best practices for plan sponsors, service providers and participants. Specifically:
- Tips for Hiring a Service Provider, to “[h]elp plan sponsors and fiduciaries prudently select a service provider with strong cybersecurity practices and monitor their activities, as ERISA requires.”
- Cybersecurity Program Best Practices, to “[a]ssist plan fiduciaries and recordkeepers in their responsibilities to manage cybersecurity risks.”
- Online Security Tips, to “[o]ffer plan participants and beneficiaries who check their retirement accounts online basic rules to reduce the risk of fraud and loss.”
Useful as the tips and practices may be, the big reveal is that the DOL indicated that ERISA’s duty of prudence encompasses “an obligation to ensure proper mitigation of cybersecurity risks.” This means that a responsible plan fiduciary, when determining whether to hire and retain a service provider, should consider the service provider’s cybersecurity risk controls, and should document such consideration as part of its overall evaluation of the service provider.
The upshot of the DOL’s April 2021 cybersecurity tips and best practices is that it puts employers on notice that both the DOL takes this seriously and that plaintiffs could attempt to use this new guidance as a basis for fiduciary duty breach claims. Moreover, service providers can expect detailed questions on cybersecurity in RFPs and RFIs. Plan sponsors will seek more transparency, whereas service providers may be reluctant to divulge too much on their cybersecurity defenses to guard against inadvertently offering up the keys to the castle. The balance of the two will become market practice.
The DOL is ramping up enforcement in this area. Plan sponsors should also gird for class-action lawsuits with allegations of breaches of ERISA’s duty of prudence when participant PII or plan asset data is misused. For these reasons, employers and plan service providers should carefully consider the DOL guidance.
A related string of litigation also poses a risk to plan sponsors and service providers. These suits argue that participant PII and plan asset data constitute “plan assets,” and that using such data for marketing purposes amounts to a breach of fiduciary duties. Some of these suits have targeted both the plan’s sponsor and recordkeeper. So far, the courts have rejected these claims.
In one case,2 plaintiffs brought an action against the plan sponsor and recordkeeper alleging that participant data (e.g., names, contact info, investment history, etc.) constituted “plan assets,” and, therefore, the recordkeeper’s purported sharing of this information with affiliates to cross-sell non-plan retail financial products to participants amounted to violations of ERISA. In granting the recordkeeper’s motion to dismiss, the court ruled that “participant data does not meet the statutory definition of ‘plan assets’….”
In a similar case,3 plaintiffs brought suit against the plan administrator alleging, inter alia, breach of fiduciary duty over the plan’s recordkeeper access to participant information (e.g., investment choice, account size, etc.) and use of that data to market products to the participants. In granting the motion to dismiss, the court stated, “[p]laintiffs cite no case in which a court has held that such information is a plan asset for purposes of ERISA….[t]his Court does not intend to be the first.” Moreover, the court rejected the argument that “releasing confidential information or allowing someone to use confidential information constitutes a breach of fiduciary duty under ERISA.”
Cybersecurity is quickly becoming an important risk area for ERISA plan sponsors. Protection of participant PII and plan asset data against privilege abuse, account takeovers and other vulnerabilities to a participant’s information and account raises the specter for DOL enforcement action and litigation. Service providers should anticipate a greater focus on their cybersecurity measures by plan sponsors and expect that such measures could be an important basis to be hired and retained as a plan service provider. Both employers and plan service providers should also consider whether it is complying with other applicable privacy laws (to the extent such laws are not preempted by ERISA).
1 Nachman Corp. v. PBGC, 446 U.S. 359, 374, 100 S. Ct. 1723, 1733, 64 L. Ed. 2d 354, 366 (1980).
2 Harmon v. Shell Oil Co., No. 3:20-cv-00021, 2021 BL 126207 (S.D. Tex. Mar. 30, 2021).
3 Divane v. Northwestern Univ., No. 16 C 8157, 2018 BL 186065 (N.D. Ill. May 25, 2018), aff’d, 953 F.3d 980 (7th Cir. 2020).
Governmental plans largely operate at the behest of their respective state legislature. It is, therefore, unsurprising that state governmental plans will take disparate approaches to ESG. Interestingly, various plans have pushed back against new legislation that requires a certain action be taken, as the case with Maine. Further complicating the analysis are state constitutional provisions that impose broad fiduciary duties, similar to those in ERISA.
The U.S. Department of Labor (DOL) has reinstated the five-part test for when one becomes a fiduciary to retirement investors (e.g., ERISA plan sponsors, participants, IRA owners, etc.) by reason of giving non-discretionary investment advice. While at first blush the reinstatement seems to offer great relief to various financial institutions that were possibly ensnared under the DOL’s tricky 2016 conflicts of interest rule, private fund sponsors, broker-dealers and investment advisers should proceed with caution. Interpretations by the DOL over the second half of 2020 suggests it will liberally interpret (and enforce) the five-part test for when one becomes an investment advice fiduciary. Tellingly, that the Trump administration opted to expansively interpret the five-part test to the point that it has more than a passing resemblance of the 2016 conflicts of interest rule under the Obama administration suggests that, regardless of which party controls the Executive Branch, the risks of becoming a fiduciary have increased and the opportunities to avoid such status have inexorably winnowed.
Under the test, a person provides “investment advice” if he or she: (1) renders advice to a plan as to the value of securities or other property, or makes recommendations as to the advisability of investing in, purchasing, or selling securities or other property; (2) on a regular basis; (3) pursuant to a mutual understanding; (4) that such advice will be a primary basis for investment decisions; and that (5) the advice will be individualized to the plan. In addition to satisfying the five-part test, a person must also receive a fee or other compensation to be an investment advice fiduciary.
All five conditions of the test must be satisfied, plus the receipt of compensation (direct or indirect), for there to be fiduciary investment advice.
The linchpin is that, in order to be an investment advice fiduciary, the financial institution must receive a direct or indirect fee or other compensation incident to the transaction in which investment advice has been provided, in addition to satisfying the 5-part test. The DOL reiterated its longstanding position that this requirement broadly covers all fees or other compensation incident to the transaction in which the investment advice to the plan has been rendered or will be rendered. This could include, for example, an explicit fee or compensation for the advice that is received by the adviser (or by an affiliate) from any source, as well as any other fee or compensation received from any source in connection with or as a result of, the recommended transaction or service (e.g., commissions, loads, finder’s fees, revenue sharing payments, shareholder servicing fees, marketing or distribution fees, underwriting compensation, payments to firms in return for shelf space, recruitment compensation, gifts and gratuities, and expense reimbursements, etc.).
Condition #1: “renders advice to a plan as to the value of securities or other property, or makes recommendations as to the advisability of investing in, purchasing, or selling securities or other property”
The DOL appears to interpret “securities or other property” broadly to include not only recommendations of specific investments but also any recommendation that would change fees and services that affect the return on investments. This means:
- A recommendation of a specific security or fund would meet this requirement.
- A recommendation of a third-party investment advice provider (likely both non-discretionary discretionary, though this is not clear) would meet this requirement.
- A recommendation of one’s own products or services, which is accompanied by an investment recommendation, such as a recommendation to invest in a particular fund or security, would meet this requirement.1
- A recommendation to switch from one account type to another (e.g., brokerage vs. advisory, commission-based to fee-based) would meet this requirement.
- A recommendation of a third party who provides investment advice for which a referral fee is paid would most likely meet this requirement.
- A recommendation to take a distribution/rollover from a plan into an IRA or from one IRA to another IRA would most likely meet this requirement.2
- A recommendation of an investment strategy/policy or portfolio composition may meet this requirement.
But some communications will not, without more, give rise to a “recommendation” under prong #1. These include:
- Marketing one’s products and services.3
- Investment education, such as information on general financial and investment concepts, (e.g., risk and return, diversification, dollar-cost averaging, compounded return, and tax deferred investment).
- Simply describing the attributes and features of an investment product.
Condition #2: “on a regular basis”
Looks can be deceiving, and that is certainly the case with the “regular basis” requirement. While it would appear to be self-evident, the DOL’s expansive view of this condition should cause service providers to tread carefully. This is because:
- A one-time sales transaction that is a recommendation would be on a “regular basis” if it were deemed part of an existing or future investment advice relationship with the retirement investor or there is otherwise an expectation by the investor that the sales communication is part of an investment advice arrangement.
- An investment recommendation would be on a “regular basis” if it were made on a recurring and non-sporadic basis, and recommendations are expected to continue. Advice need not be provided at fixed intervals to be on a “regular basis.”
- A rollover recommendation to a participant who has previously received investment advice from the financial institution would be on a “regular basis.”
- One-time investment advice to a plan sponsor of an ERISA plan, when the financial institution has provided the plan sponsor investment advice with respect to its other ERISA plans, would be on a “regular basis.”
On the other hand:
- Sporadic or one-off communications are unlikely to be considered on a “regular basis.”
Conditions #3 and #4: “pursuant to a mutual understanding” “that such advice will be a primary basis for investment decisions”
Whether there is a mutual understanding between the parties that communications are—or are not—investment advice turns on the contractual terms and the surrounding facts and circumstances. Here are some markers:
- Does the written agreement expressly provide for investment advice, or does it expressly and clearly disclaim that any investment advice is intended to be provided? The answer to this is not determinative, but it will factor into the position the DOL takes on whether this condition was met for purposes of the 5-part investment advice test.
- Would a Retirement Investor reasonably believe the financial institution was offering fiduciary investment advice based on the financial institution’s marketing and other publicly available materials? Does the financial institution hold itself out as a “trusted adviser”?
The DOL also confirmed that the advice need only be a primary basis, not the primary basis.
Condition #5: “the advice will be individualized to the plan”
The DOL did not elucidate on this requirement in the new rule. A good rule of thumb, however, is that the more individually tailored the communication is to a specific recipient, the more likely the communication will be viewed as a recommendation by the DOL.
Financial institutions, especially those that believe they do not provide investment advice to retirement investors, should carefully consider whether the DOL’s expansive view of these requirements alters their status as a fiduciary so that they do not inadvertently cause a non-exempt prohibited transaction. An accompanying class exemption goes into effect on February 16, 2021 and would be available for those who become investment advice fiduciaries
1 It is crucial to note that the DOL’s 2016 conflicts of interest rule included an exception for incidental advice provided in connection with counterparty transactions with a plan fiduciary with financial expertise. As the DOL noted then, “[t]he premise… was that both sides of such transactions understand that they are acting at arm’s length, and neither party expects that recommendations will necessarily be based on the buyer’s best interests, or that the buyer will rely on them as such.” The new rule, however, contains no such exception.
2 In the DOL’s eyes, a financial institution that recommends a rollover to a retirement investor can generally expect to earn an ongoing advisory fee or transaction-based compensation from the IRA, whereas it may or may not earn compensation if the assets remain in the ERISA plan.
3 As noted above, the DOL will only treat the marketing of oneself as a “recommendation” if such communication is accompanied by a specific recommendation of a product or service. It is unclear whether the DOL will look for a recommendation of a product or service in fact or in effect, a thorny issue similarly raised under the predecessor 2016 rulemaking.